Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

Staff MemberContent Creator

The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.

Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.

Figure 1. Qakbot and Emotet monthly machine encounters show an upward trend. This data doesn’t include Qakbot and Emotet variants blocked by automation and cloud rules.

Even though these malware families are typically known to target individual online banking users, more and more enterprises, small and medium businesses, and other organizations have been affected by indiscriminate infections.

Figure 2. Breakdown of Qakbot and Emotet machine encounters

Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack.

Typical Qakbot and Emotet kill chain

Over the years, the cybercriminals behind Qakbot and Emotet have improved the code behind their malware. They have evolved to evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.

We mapped some of the common behaviors we’ve seen in Qakbot and Emotet variants and see a lot of similarities.

Figure 3. Qakbot and Emotet attack kill chain. Note that some Qakbot and Emotet variants might not exhibit all of the behaviors above and might be capable of unique routines.

Because of similarities in behavior, Qakbot and Emotet can be mitigated by similar security measures.

Steps to mitigate Qakbot and Emotet

Based on our experience helping organizations get rid of Qakbot and Emotet, the following steps mitigate infection and ultimately remove the said malware from corporate networks:

Stop the spread of malware and cut off communication with its command-and-control server

Stop sharing folders that show signs of infection or set shared folders to read-only. Removing admin shares is an option that should only be used as a last resort as this can cause other issues and hinder management

Practice credential hygiene. Remove unnecessary privileges, or disable privileged accounts that have been observed to spread malware using SMB.

For each one, in the configuration dialog box, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System, and then click OK.
In the Add Object dialog box, click Replace existing permissions in all subkeys with inheritable permissions and click OK.
(Note: When the crisis is over, you can revert this setting by restoring permissions and reapplying the group policy—removing the GPO will not restore original permissions.)

Uncover undetected variants by inspecting infected systems for scheduled tasks and their target binaries. The Sysinternals Autoruns tool can be your friend here. Windows Defender ATP customers can review the timeline of known affected machines to find undetected malware components. Additional affected machines can be identified by reviewing the incident graph for the relevant alert or by searching for threat known artifacts, such as file SHA1s, IP addresses, and URLs.

Monitor the network for possible reinfection

Determine and address the initial attack vector. Use security solutions like Windows Defender ATP, which provides detailed timelines and other contextual information to understand the nature of attacks and take response actions.

Slowly reintroduce network connectivity to the subset of the machines that have been cleaned. Monitor them for reinfection.

Reintroduce network connectivity to all affected machines that are believed to be clean.

While the steps above can rid networks of Qakbot and Emotet, preventing infection eliminates opportunities for these threats to steal info. Windows 10 S is a streamlined platform with Microsoft-verified security. It blocks malware like Qakbot and Emotet and other malicious programs by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.

Additionally, Windows 10 has a comprehensive defense stack that can help block and detect malware like Qakbot and Emotet.

Use Microsoft Edge to block Qakbot and Emotet infections from the web. Microsoft Edge opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads. Its click-to-run feature for Flash can stop malware infections that begin with exploit kits. With Windows Defender Application Guard, Microsoft Edge has an additional hardware isolation-level capability on top of its exploit mitigation and sandbox features.

Use Credential Guard to protect domain credentials and help stop malware from spreading using compromised credentials.

Enable Windows Defender AV to detect Qakbot and Emotet variants, as well as all related malware such as droppers and downloaders. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques and enhanced behavior analysis to detect common and complex malware code. It provides advanced real-time protection against new and unknown files using the Windows Defender AV cloud protection service.

Use Windows Defender Advanced Threat Protection to flag Qakbot or Emotet infections and to enable security operations personnel to stop the spread of these threats in the network. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, command-and-control communication, and lateral movement. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to attacks.

These end-to-end security features in Windows 10 help defend against increasingly complex malware attacks. At Microsoft, we continue to harden Windows 10 against attacks. With Fall Creators Update, we shipped several new and enhanced security features that make Windows 10 the most secure version of Windows yet. Learn more about these features:

It is also important for organizations to augment these security technologies with a security-aware workforce. Educating employees on social engineering attacks and internet safety, and training them to report suspicious emails or websites can go a long way in protecting networks against cyberattacks.

About Us

Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.

Helpful Links

Need Malware Removal Help?

If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware.
We offer free malware removal assistance to our members in the Malware Removal Assistance forum.

Quick Tip

Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.